def __init__(self): BaseModule.__init__(self) self.vmm = VMM(self.cs) self.random_order = True self.gprs = GPRS self.vector_reg = None self.iterations = DEFAULT_RANDOM_ITERATIONS self.maxval = DEFAULT_MAXVAL_RANDOM
def __init__(self): BaseModuleDebug.__init__(self) self.hypercall = VMM(self.cs) self.hypercall.init() self.membuf = self.cs.mem.alloc_physical_mem(4*0x1000, 0xFFFFFFFF) self.cs.mem.write_physical_mem(self.membuf[1], 4*0x1000, '\x00' * 4*0x1000) self.old_sint2 = [] self.old_simp = [] self.old_siefp = [] self.simp = [] self.siefp = []
def run(self): t = time.time() try: self.vmm = VMM(self.cs) except VMMRuntimeError as msg: self.logger.error(msg) return self.vmm.init() self.func() self.logger.log("[CHIPSEC] (vmm) time elapsed {:.3f}".format( (time.time() - t)))
class HyperV(BaseModuleDebug): def __init__(self): BaseModuleDebug.__init__(self) self.hypercall = VMM(self.cs) self.hypercall.init() self.membuf = self.cs.mem.alloc_physical_mem(4*0x1000, 0xFFFFFFFF) self.cs.mem.write_physical_mem(self.membuf[1], 4*0x1000, '\x00' * 4*0x1000) self.old_sint2 = [] self.old_simp = [] self.old_siefp = [] self.simp = [] self.siefp = [] def __del__(self): BaseModuleDebug.__del__(self) self.dbg('Free kernel memory') #if self.membuf[0] <> 0: # self.cs.mem.free_physical_mem(self.membuf[0]) if len(self.old_sint2) == 2: self.cs.msr.write_msr(0, HV_X64_MSR_SINT2, self.old_sint2[0], self.old_sint2[1]) if len(self.old_simp) == 2: self.cs.msr.write_msr(0, HV_X64_MSR_SIMP, self.old_simp[0], self.old_simp[1]) if len(self.old_siefp) == 2: self.cs.msr.write_msr(0, HV_X64_MSR_SIEFP, self.old_siefp[0], self.old_siefp[1]) for i in [x for x in self.ringbuffers]: del self.ringbuffers[i] ## ## hv_init ## def hv_init(self): self.old_sint2 = self.cs.msr.read_msr(0, HV_X64_MSR_SINT2) self.old_simp = self.cs.msr.read_msr(0, HV_X64_MSR_SIMP) self.old_siefp = self.cs.msr.read_msr(0, HV_X64_MSR_SIEFP) pa = self.membuf[1] self.sint3 = self.cs.msr.read_msr(0, HV_X64_MSR_SINT3) self.cs.msr.write_msr(0, HV_X64_MSR_SINT2, self.sint3[0], self.sint3[1]) self.cs.msr.write_msr(0, HV_X64_MSR_SIEFP, (pa & 0xFFFFFFFF) | 0x1, pa >> 32) #self.cs.msr.write_msr(0, HV_X64_MSR_SCONTROL, 0x1, 0x0) self.simp = self.cs.msr.read_msr(0, HV_X64_MSR_SIMP) self.siefp = self.cs.msr.read_msr(0, HV_X64_MSR_SIEFP) self.simp = (self.simp[0] + (self.simp[1] << 32)) & 0xFFFFFFFFFFFFF000 self.siefp = (self.siefp[0] + (self.siefp[1] << 32)) & 0xFFFFFFFFFFFFF000 return ## ## hv_post_msg - Send a message ## def hv_post_msg(self, message): retries = 3 hciv = hv_hciv(0, 0, HV_POST_MESSAGE) while retries > 0: result = self.hypercall.hypercall64_memory_based(hciv, message[:0x100]) & 0xFFFF if result == HV_STATUS_INSUFFICIENT_BUFFERS: retries -= 1 time.sleep(0.1) else: retries = 0 return result ## ## hv_recv_msg - recieve message if exist otherwise empty string ## def hv_recv_msg(self, sint): buffer = self.cs.mem.read_physical_mem(self.simp + 0x100*sint, 0x100) message_type, payload_size, message_flags = unpack('<LBB', buffer[0:6]) if message_type == HVMSG_NONE: buffer = '' else: self.cs.mem.write_physical_mem(self.simp + 0x100*sint, 0x4, DD(HVMSG_NONE)) if message_flags & 0x1: self.cs.msr.write_msr(0, HV_X64_MSR_EOM, 0x0, 0x0) return buffer ## ## hv_signal_event - send an event notification ## def hv_signal_event(self, connection_id, flag_number): hciv = hv_hciv(0, 0, HV_SIGNAL_EVENT) buffer = pack('<LHH', connection_id, flag_number, 0x0) result = self.hypercall.hypercall64_memory_based(hciv, buffer) & 0xFFFF return result ## ## hv_recv_events - recieve all current events ## def hv_recv_events(self, sint): events = set() buffer = self.cs.mem.read_physical_mem(self.siefp + 0x100*sint, 0x100) buffer = unpack('<64L', buffer) for i in xrange(64): if buffer[i]: for n in xrange(32): if (buffer[i] >> n) & 0x1: events.add(i*32 + n) return events
class VMMCommand(BaseCommand): def requires_driver(self): parser = ArgumentParser(prog='chipsec_util vmm', usage=__doc__) subparsers = parser.add_subparsers() parser_hypercall = subparsers.add_parser('hypercall') parser_hypercall.add_argument('ax', type=lambda x: int(x, 16), help='rax/eax value (hex)') parser_hypercall.add_argument('bx', type=lambda x: int(x, 16), help='rbx/ebx value (hex)') parser_hypercall.add_argument('cx', type=lambda x: int(x, 16), help='rcx/ecx value (hex)') parser_hypercall.add_argument('dx', type=lambda x: int(x, 16), help='rdx/edx value (hex)') parser_hypercall.add_argument('di', type=lambda x: int(x, 16), help='rdi/edi value (hex)') parser_hypercall.add_argument('si', type=lambda x: int(x, 16), help='rsi/esi value (hex)') parser_hypercall.add_argument('r8', type=lambda x: int(x, 16), nargs='?', default=0, help='r8 value (hex)') parser_hypercall.add_argument('r9', type=lambda x: int(x, 16), nargs='?', default=0, help='r9 value (hex)') parser_hypercall.add_argument('r10', type=lambda x: int(x, 16), nargs='?', default=0, help='r10 value (hex)') parser_hypercall.add_argument('r11', type=lambda x: int(x, 16), nargs='?', default=0, help='r11 value (hex)') parser_hypercall.set_defaults(func=self.vmm_hypercall) parser_pt = subparsers.add_parser('pt') parser_pt.add_argument('eptp', type=lambda x: int(x, 16), help='Pointer (hex)') parser_pt.set_defaults(func=self.vmm_pt) parser_ept = subparsers.add_parser('ept') parser_ept.add_argument('eptp', type=lambda x: int(x, 16), help='Pointer (hex)') parser_ept.set_defaults(func=self.vmm_pt) parser_virtio = subparsers.add_parser('virtio') parser_virtio.add_argument('bdf', type=str, nargs='?', default=None, help='<bus>:<device>.<function>') parser_virtio.set_defaults(func=self.vmm_virtio) parser.parse_args(self.argv[2:], namespace=self) return True def vmm_virtio(self): if self.bdf is not None: match = re.search( r"^([0-9a-f]{1,2}):([0-1]?[0-9a-f]{1})\.([0-7]{1})$", self.bdf) if match: _bus = int(match.group(1), 16) & 0xFF _dev = int(match.group(2), 16) & 0x1F _fun = int(match.group(3), 16) & 0x07 vid = self.cs.pci.read_word(_bus, _dev, _fun, 0) did = self.cs.pci.read_word(_bus, _dev, _fun, 2) dev = (_bus, _dev, _fun, vid, did) virt_dev = [dev] else: self.logger.error("Invalid B:D.F ({})".format(self.bdf)) self.logger.log(VMMCommand.__doc__) return else: self.logger.log("[CHIPSEC] Enumerating VirtIO devices...") virt_dev = get_virtio_devices(self.cs.pci.enumerate_devices()) if len(virt_dev) > 0: self.logger.log("[CHIPSEC] Available VirtIO devices:") print_pci_devices(virt_dev) for (b, d, f, vid, did) in virt_dev: VirtIO_Device(self.cs, b, d, f).dump_device() else: self.logger.log("[CHIPSEC] No VirtIO devices found") def vmm_hypercall(self): self.logger.log('') self.logger.log("[CHIPSEC] > hypercall") self.logger.log("[CHIPSEC] RAX: 0x{:016X}".format(self.ax)) self.logger.log("[CHIPSEC] RBX: 0x{:016X}".format(self.bx)) self.logger.log("[CHIPSEC] RCX: 0x{:016X}".format(self.cx)) self.logger.log("[CHIPSEC] RDX: 0x{:016X}".format(self.dx)) self.logger.log("[CHIPSEC] RSI: 0x{:016X}".format(self.si)) self.logger.log("[CHIPSEC] RDI: 0x{:016X}".format(self.di)) self.logger.log("[CHIPSEC] R8 : 0x{:016X}".format(self.r8)) self.logger.log("[CHIPSEC] R9 : 0x{:016X}".format(self.r9)) self.logger.log("[CHIPSEC] R10: 0x{:016X}".format(self.r10)) self.logger.log("[CHIPSEC] R11: 0x{:016X}".format(self.r11)) rax = self.vmm.hypercall(self.ax, self.bx, self.cx, self.dx, self.si, self.di, self.r8, self.r9, self.r10, self.r11) self.logger.log("[CHIPSEC] < RAX: 0x{:016X}".format(rax)) def vmm_pt(self): if self.eptp is not None: pt_fname = 'ept_{:08X}'.format(self.eptp) self.logger.log("[CHIPSEC] EPT physical base: 0x{:016X}".format( self.eptp)) self.logger.log( "[CHIPSEC] Dumping EPT to '{}'...".format(pt_fname)) self.vmm.dump_EPT_page_tables(self.eptp, pt_fname) else: self.logger.log( "[CHIPSEC] Finding EPT hierarchy in memory is not implemented yet" ) self.logger.error(VMMCommand.__doc__) return def run(self): t = time.time() try: self.vmm = VMM(self.cs) except VMMRuntimeError as msg: self.logger.error(msg) return self.vmm.init() self.func() self.logger.log("[CHIPSEC] (vmm) time elapsed {:.3f}".format( (time.time() - t)))
class HyperV(BaseModuleDebug): def __init__(self): BaseModuleDebug.__init__(self) self.hypercall = VMM(self.cs) self.hypercall.init() self.membuf = self.cs.mem.alloc_physical_mem(4 * 0x1000, 0xFFFFFFFF) self.cs.mem.write_physical_mem(self.membuf[1], 4 * 0x1000, '\x00' * 4 * 0x1000) self.old_sint2 = [] self.old_simp = [] self.old_siefp = [] self.simp = [] self.siefp = [] def __del__(self): BaseModuleDebug.__del__(self) self.dbg('Free kernel memory') #if self.membuf[0] <> 0: # self.cs.mem.free_physical_mem(self.membuf[0]) if len(self.old_sint2) == 2: self.cs.msr.write_msr(0, HV_X64_MSR_SINT2, self.old_sint2[0], self.old_sint2[1]) if len(self.old_simp) == 2: self.cs.msr.write_msr(0, HV_X64_MSR_SIMP, self.old_simp[0], self.old_simp[1]) if len(self.old_siefp) == 2: self.cs.msr.write_msr(0, HV_X64_MSR_SIEFP, self.old_siefp[0], self.old_siefp[1]) for i in [x for x in self.ringbuffers]: del self.ringbuffers[i] ## ## hv_init ## def hv_init(self): self.old_sint2 = self.cs.msr.read_msr(0, HV_X64_MSR_SINT2) self.old_simp = self.cs.msr.read_msr(0, HV_X64_MSR_SIMP) self.old_siefp = self.cs.msr.read_msr(0, HV_X64_MSR_SIEFP) pa = self.membuf[1] self.sint3 = self.cs.msr.read_msr(0, HV_X64_MSR_SINT3) self.cs.msr.write_msr(0, HV_X64_MSR_SINT2, self.sint3[0], self.sint3[1]) self.cs.msr.write_msr(0, HV_X64_MSR_SIEFP, (pa & 0xFFFFFFFF) | 0x1, pa >> 32) #self.cs.msr.write_msr(0, HV_X64_MSR_SCONTROL, 0x1, 0x0) self.simp = self.cs.msr.read_msr(0, HV_X64_MSR_SIMP) self.siefp = self.cs.msr.read_msr(0, HV_X64_MSR_SIEFP) self.simp = (self.simp[0] + (self.simp[1] << 32)) & 0xFFFFFFFFFFFFF000 self.siefp = (self.siefp[0] + (self.siefp[1] << 32)) & 0xFFFFFFFFFFFFF000 return ## ## hv_post_msg - Send a message ## def hv_post_msg(self, message): retries = 3 hciv = hv_hciv(0, 0, HV_POST_MESSAGE) while retries > 0: result = self.hypercall.hypercall64_memory_based( hciv, message[:0x100]) & 0xFFFF if result == HV_STATUS_INSUFFICIENT_BUFFERS: retries -= 1 time.sleep(0.1) else: retries = 0 return result ## ## hv_recv_msg - recieve message if exist otherwise empty string ## def hv_recv_msg(self, sint): buffer = self.cs.mem.read_physical_mem(self.simp + 0x100 * sint, 0x100) message_type, payload_size, message_flags = unpack('<LBB', buffer[0:6]) if message_type == HVMSG_NONE: buffer = '' else: self.cs.mem.write_physical_mem(self.simp + 0x100 * sint, 0x4, DD(HVMSG_NONE)) if message_flags & 0x1: self.cs.msr.write_msr(0, HV_X64_MSR_EOM, 0x0, 0x0) return buffer ## ## hv_signal_event - send an event notification ## def hv_signal_event(self, connection_id, flag_number): hciv = hv_hciv(0, 0, HV_SIGNAL_EVENT) buffer = pack('<LHH', connection_id, flag_number, 0x0) result = self.hypercall.hypercall64_memory_based(hciv, buffer) & 0xFFFF return result ## ## hv_recv_events - recieve all current events ## def hv_recv_events(self, sint): events = set() buffer = self.cs.mem.read_physical_mem(self.siefp + 0x100 * sint, 0x100) buffer = unpack('<64L', buffer) for i in xrange(64): if buffer[i]: for n in xrange(32): if (buffer[i] >> n) & 0x1: events.add(i * 32 + n) return events
class hypercallfuzz(BaseModule): def __init__(self): BaseModule.__init__(self) self.vmm = VMM(self.cs) self.random_order = True self.gprs = GPRS self.vector_reg = None self.iterations = DEFAULT_RANDOM_ITERATIONS self.maxval = DEFAULT_MAXVAL_RANDOM def is_supported(self): return True def fuzz_generic_hypercalls(self): _fmt = '{:02X}' if self.maxval <= 0xFF else ( '{:04X}' if self.maxval <= 0xFFFF else ('{:08X}' if self.maxval <= 0xFFFFFFFF else '{:016X}')) _str = "{} hcall rax={},rbx={},rcx={},rdx={},rdi={},rsi={},r8={},r9={},r10={},r11={}".format( '{:d}', _fmt, _fmt, _fmt, _fmt, _fmt, _fmt, _fmt, _fmt, _fmt, _fmt) t = time.time() if self.random_order: self.logger.log( "[*] Fuzzing {:d} random hypercalls with random arguments...". format(self.iterations)) for it in range(self.iterations): rax = random.randint(0, self.gprs['rax']) rbx = random.randint(0, self.gprs['rbx']) rcx = random.randint(0, self.gprs['rcx']) rdx = random.randint(0, self.gprs['rdx']) rdi = random.randint(0, self.gprs['rdi']) rsi = random.randint(0, self.gprs['rsi']) r8 = random.randint(0, self.gprs['r8']) r9 = random.randint(0, self.gprs['r9']) r10 = random.randint(0, self.gprs['r10']) r11 = random.randint(0, self.gprs['r11']) if _LOG_ALL_GPRS: self.logger.log( _str.format(it, rax, rbx, rcx, rdx, rdi, rsi, r8, r9, r10, r11)) else: self.logger.log("{:d} hcall".format(it)) if _FLUSH_LOG_EACH_ITER: self.logger.flush() try: res = self.vmm.hypercall(rax, rbx, rcx, rdx, rdi, rsi, r8, r9, r10, r11) except: pass else: it = 0 self.logger.log( "[*] Fuzzing hypercalls with arguments exhaustively...") for rax in range(self.gprs['rax']): for rbx in range(self.gprs['rbx']): for rcx in range(self.gprs['rcx']): for rdx in range(self.gprs['rdx']): for rdi in range(self.gprs['rdi']): for rsi in range(self.gprs['rsi']): for r8 in range(self.gprs['r8']): for r9 in range(self.gprs['r9']): for r10 in range(self.gprs['r10']): for r11 in range( self.gprs['r11']): if _LOG_ALL_GPRS: self.logger.log( _str.format( it, rax, rbx, rcx, rdx, rdi, rsi, r8, r9, r10, r11)) else: self.logger.log( "{:d} hcall". format(it)) if _FLUSH_LOG_EACH_ITER: self.logger.flush() try: res = self.vmm.hypercall( rax, rbx, rcx, rdx, rdi, rsi, r8, r9, r10, r11) it += 1 except: pass self.logger.log( "[*] finished fuzzing: time elapsed {:.3f}".format(time.time() - t)) return ModuleResult.PASSED def usage(self): self.logger.log( "Usage: chipsec_main -m tools.vmm.hypercallfuzz [ -a <mode>,<vector_reg>,<maxval>,<iterations> ]" ) self.logger.log(" mode hypercall fuzzing mode") self.logger.log( " = exhaustive fuzz all arguments exhaustively in range [0:<maxval>] (default)" ) self.logger.log( " = random send random values in all registers in range [0:<maxval>]" ) self.logger.log(" vector_reg hypercall vector register") self.logger.log(" maxval maximum value of each register") self.logger.log( " iterations number of iterations in random mode (default = {:d})" .format(DEFAULT_RANDOM_ITERATIONS)) def run(self, module_argv): self.logger.start_test("Dumb VMM hypercall fuzzer") self.usage() if len(module_argv) > 0: self.random_order = (module_argv[0].lower() == 'random') self.maxval = DEFAULT_MAXVAL_RANDOM if self.random_order else DEFAULT_MAXVAL_EXHAUSTIVE if len(module_argv) > 1: self.vector_reg = module_argv[1] if len(module_argv) > 2: self.maxval = int(module_argv[2], 16) if len(module_argv) > 3: self.iterations = int(module_argv[3]) for r in self.gprs: self.gprs[r] = self.maxval if self.vector_reg is not None: self.gprs[self.vector_reg] = DEFAULT_VECTOR_MAXVAL self.logger.log("\n[*] Configuration:") self.logger.log(" Mode : {}".format( 'random' if self.random_order else 'exhaustive')) self.logger.log(" Hypercall vector in: {}".format(self.vector_reg)) self.logger.log(" Max register value : 0x{:X}".format(self.maxval)) self.logger.log(" Iterations : {:d}\n".format( self.iterations)) return self.fuzz_generic_hypercalls()